Ubuntu
firefox-3.5 package

apparmor profile blocks Sun Java plugin

Bug #570128 reported by Matthias Andree
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
firefox (Ubuntu)
Fix Released
Low
Jamie Strandboge
Karmic
Won't Fix
Low
Jamie Strandboge
Lucid
Fix Released
Low
Jamie Strandboge
Maverick
Fix Released
Low
Jamie Strandboge
firefox-3.5 (Ubuntu)
Invalid
Low
Unassigned
Karmic
Fix Released
Low
Jamie Strandboge
Lucid
Invalid
Low
Unassigned
Maverick
Invalid
Low
Unassigned

Bug Description

Binary package hint: firefox-3.5

The AppArmor profile shipping with firefox-3.5.9+nobinonly-0ubuntu0.9.10.1 is too restrictive and prevents firefox from starting the "java_vm" process if the firefox-3.5 profile is being enforced.

This may be a recent regression, but I cannot verify that.

Tested patch attached.

ProblemType: Bug
Architecture: i386
Date: Mon Apr 26 13:51:34 2010
DistroRelease: Ubuntu 9.10
Package: firefox-3.5 3.5.9+nobinonly-0ubuntu0.9.10.1
ProcEnviron:
 LANGUAGE=de_DE:de:en_GB:en
 PATH=(custom, no user)
 LANG=de_DE.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.31-20.58-generic
SourcePackage: firefox-3.5
Uname: Linux 2.6.31-20-generic i686

Revision history for this message
Matthias Andree (matthias-andree) wrote :
Changed in firefox-3.5 (Ubuntu):
status: New → Confirmed
Revision history for this message
Matthias Andree (matthias-andree) wrote :

Relevant kernel logging and aa-status output:

Apr 26 13:05:27 rho kernel: [81864.337459] type=1503 audit(1272279927.968:163): operation="exec" pid=4087 parent=3887 profile="/usr/lib/firefox-3.5.*/firefox" requested_mask="::x" denied_mask="::x" fsuid=504 ouid=0 name="/usr/lib/jvm/java-6-sun-1.6.0.16/jre/bin/java_vm"
Apr 26 13:05:27 rho kernel: [81864.353749] type=1503 audit(1272279927.984:164): operation="exec" pid=4088 parent=3887 profile="/usr/lib/firefox-3.5.*/firefox" requested_mask="::x" denied_mask="::x" fsuid=504 ouid=0 name="/usr/lib/jvm/java-6-sun-1.6.0.16/jre/bin/java_vm"
Apr 26 13:05:28 rho kernel: [81864.367511] type=1503 audit(1272279927.996:165): operation="exec" pid=4089 parent=3887 profile="/usr/lib/firefox-3.5.*/firefox" requested_mask="::x" denied_mask="::x" fsuid=504 ouid=0 name="/usr/lib/jvm/java-6-sun-1.6.0.16/jre/bin/java_vm"

$ sudo aa-status
apparmor module is loaded.
17 profiles are loaded.
13 profiles are in enforce mode.
   /usr/share/gdm/guest-session/Xsession
   /usr/lib/firefox-3.5.*/firefox
   /usr/bin/evince-thumbnailer
[...]

Lorenzo De Liso (blackz)
tags: added: patch
Micah Gersten (micahg)
tags: added: apparmor
Revision history for this message
Micah Gersten (micahg) wrote :

Thanks for reporting this bug and any supporting documentation. Since this bug has enough information provided for a developer to begin work, I'm going to mark it as Triaged and let them handle it from here. Thanks for taking the time to make Ubuntu better! Please report any other issues you may find.

Changed in firefox-3.5 (Ubuntu):
importance: Undecided → Medium
status: Confirmed → Triaged
Jamie Strandboge (jdstrand)
Changed in firefox-3.5 (Ubuntu Lucid):
status: New → Triaged
Changed in firefox-3.5 (Ubuntu Karmic):
status: New → Triaged
Changed in firefox-3.5 (Ubuntu Maverick):
status: Triaged → Invalid
Changed in firefox (Ubuntu Lucid):
status: New → Triaged
importance: Undecided → Low
Changed in firefox (Ubuntu Karmic):
status: New → Triaged
importance: Undecided → Low
Changed in firefox-3.5 (Ubuntu Maverick):
importance: Medium → Low
Changed in firefox (Ubuntu Maverick):
status: New → Fix Committed
importance: Undecided → Low
assignee: nobody → Jamie Strandboge (jdstrand)
Jamie Strandboge (jdstrand)
Changed in firefox-3.5 (Ubuntu Lucid):
importance: Undecided → Low
Changed in firefox-3.5 (Ubuntu Karmic):
importance: Undecided → Low
Jamie Strandboge (jdstrand)
Changed in firefox-3.5 (Ubuntu Lucid):
status: Triaged → Invalid
Changed in firefox (Ubuntu Lucid):
status: Triaged → Fix Committed
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in firefox (Ubuntu Karmic):
status: Triaged → Fix Committed
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in firefox-3.5 (Ubuntu Karmic):
status: Triaged → Fix Committed
assignee: nobody → Jamie Strandboge (jdstrand)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package firefox - 3.6.4+build7+nobinonly-0ubuntu1

---------------
firefox (3.6.4+build7+nobinonly-0ubuntu1) maverick; urgency=low

  * New upstream release v3.6.4 (FIREFOX_3_6_4_BUILD7)

  [ Micah Gersten <email address hidden> ]
  * Rebase patch after upstream landing of Lorentz branch
    - update debian/patches/bz460917_att350845_reload_new_plugins.patch
  * Drop patch after upstream landing of (bmo: 544481) aka
    Build fails on Ubuntu Lucid Lynx using 'dash' shell
    - drop debian/patches/fix-build-glitch.patch
    - update debian/patches/series

  [ Jamie Strandboge <email address hidden> ]
  * AppArmor:
    - allow ixr access to /usr/lib/xulrunner-*/plugin-container for xul builds
    - finetune Adobe Reader access (LP: #570337)
    - silence noisy denial on /boot/vmlinuz* and /boot/initrd.img* caused by
      readlinking symlinks in / (LP: #571761)
    - allow 'm' for java's 'classes.jsa' file (LP: #574459)
    - transition to firefox_java on Sun's jre/bin/java_vm too (LP: #570128)
    - allow Uxr for gnome-codec-install (LP: #577097)

  [ Chris Coulson <email address hidden> ]
  * Rebase patches for 3.6.4 release
    - update debian/patches/firefox-kde.patch
    - update debian/patches/mozilla-kde.patch
    - update debian/patches/add_syspref_dir.patch
  * Build with --enable-ipc on amd64, i386 and armel. These are the only
    architectures where OOPP is supported. Build with --disable-ipc on all
    other architectures
    - update debian/rules
  * Fix LP: #513887 - Install the plugin-container binary for OOPP support
    when building with --enable-ipc
    - update debian/rules
  * Fix build failure with fontconfig 2.5
    - update debian/patches/lp512615_cairo_lcd_filter.patch
  * Fix LP: #469752 - KDE/Gnome startup notification not disappearing
    when app window is up - build with --enable-startup-notification
    - update debian/rules
 -- Chris Coulson <email address hidden> Wed, 23 Jun 2010 15:31:44 +0100

Changed in firefox (Ubuntu Maverick):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package firefox - 3.6.6+nobinonly-0ubuntu0.10.04.1

---------------
firefox (3.6.6+nobinonly-0ubuntu0.10.04.1) lucid-security; urgency=low

  * New upstream release v3.6.6 (FIREFOX_3_6_6_RELEASE)
    - see USN-930-1

  [ Micah Gersten <email address hidden> ]
  * Rebase patch after upstream landing of Lorentz branch
    - update debian/patches/bz460917_att350845_reload_new_plugins.patch
  * Drop patch after upstream landing of (bmo: 544481) aka
    Build fails on Ubuntu Lucid Lynx using 'dash' shell
    - drop debian/patches/fix-build-glitch.patch
    - update debian/patches/series

  [ Jamie Strandboge <email address hidden> ]
  * Apparmor:
    - allow ixr access to /usr/lib/xulrunner-*/plugin-container for xul builds
    - finetune Adobe Reader access (LP: #570337)
    - silence noisy denial on /boot/vmlinuz* and /boot/initrd.img* caused by
      readlinking symlinks in / (LP: #571761)
    - allow 'm' for java's 'classes.jsa' file (LP: #574459)
    - transition to firefox_java on Sun's jre/bin/java_vm too (LP: #570128)
    - allow Uxr for gnome-codec-install (LP: #577097)

  [ Chris Coulson <email address hidden> ]
  * Rebase patches for 3.6.4 release
    - update debian/patches/firefox-kde.patch
    - update debian/patches/mozilla-kde.patch
    - update debian/patches/add_syspref_dir.patch
  * Build with --enable-ipc on amd64, i386 and armel. These are the only
    architectures where OOPP is supported. Build with --disable-ipc on all
    other architectures
    - update debian/rules
  * Fix LP: #513887 - Install the plugin-container binary for OOPP support
    when building with --enable-ipc
    - update debian/rules
  * Fix LP: #469752 - KDE/Gnome startup notification not disappearing
    when app window is up - build with --enable-startup-notification
    - update debian/rules
 -- Chris Coulson <email address hidden> Mon, 28 Jun 2010 12:46:36 +0100

Changed in firefox (Ubuntu Lucid):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (8.5 KiB)

This bug was fixed in the package firefox-3.5 - 3.6.7+build2+nobinonly-0ubuntu0.9.10.1

---------------
firefox-3.5 (3.6.7+build2+nobinonly-0ubuntu0.9.10.1) karmic-security; urgency=low

  [ Chris Coulson <email address hidden> ]
  * New major upstream release v3.6.7 (FIREFOX_3_6_7_BUILD2)
    - see USN-930-1

  * Switch to using unversioned binaries. This means that firefox and
    firefox-gnome-support are no longer meta-packages depending on the latest
    versioned binary packages, but they ship the binary components. Convert
    firefox-3.5* packages to meta packages which pull in the unversioned binaries
    to ensure a smooth upgrade path
    - update debian/control
    - rename debian/firefox-3.5-dev.install => debian/firefox-dev.install
    - rename debian/firefox-3.5-dev.links => debian/firefox-dev.links
    - rename debian/firefox-3.5-final.desktop => debian/firefox-final.desktop
    - rename debian/firefox-3.5-gnome-support.install => debian/firefox-gnome-support.install
    - rename debian/firefox-3.5-gnome-support.postinst.in => debian/firefox-gnome-support.postinst
    - rename debian/firefox-3.5-minefield.desktop => debian/firefox-minefield.desktop
    - rename debian/firefox-3.5-restart-required.update-notifier => debian/firefox-restart-required.update-notifier
    - rename debian/firefox-3.5.dirs => debian/firefox.dirs
    - rename debian/firefox-3.5.install => debian/firefox.install
    - rename debian/firefox-3.5.links => debian/firefox.links
    - rename debian/firefox-3.5.menu => debian/firefox.menu
    - rename debian/firefox-3.5.postinst.in => debian/firefox.postinst.in
    - rename debian/firefox-3.5.postrm.in => debian/firefox.postrm.in
    - rename debian/firefox-3.5.preinst.in => debian/firefox.preinst.in
    - rename debian/firefox-3.5.prerm => debian/firefox.prerm.in
    - rename debian/abrowser-3.5.desktop => debian/abrowser.desktop
    - update Icon name in debian/firefox-final.desktop
    - update Icon name in debian/abrowser.desktop
    - update Icon and Exec fields in debian/firefox-minefield.desktop
    - update Name and Description in debian/firefox-restart-required.update-notifier
    - update debian/firefox.links to not create versioned link in /usr/bin
    - update fields in debian/firefox.menu
    - update debian/firefox.prerm.in
  * Use Namoroka instead of Shiretoko as brand name and use it for snapshots.
    Name it Namoroka in the Preferred Application UI too
    - update debian/firefox-3.6-shiretoko.desktop => debian/firefox-namoroka.desktop
    - update debian/firefox.xml
    - update debian/rules
  * Implement MIN_SYS_DEPS approach that does not use system xulrunner
    and only a minimal set of system dependencies.
    + drop patches not required anymore:
      - delete debian/patches/dont_depend_on_nspr_sources.patch
      - update debian/patches/series
    + move .install lines that depend on whether MIN_SYS_DEPS is used or not
      to debian/rules in ifneq (,$(MIN_SYS_DEPS)) blocks
      - update debian/rules
      - update debian/firefox.install
    + ship gnome support .so's inside of the main package, but keep dependencies in
      the (now empty) gnome-support package; to achieve ...

Read more...

Changed in firefox-3.5 (Ubuntu Karmic):
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand)
Changed in firefox (Ubuntu Karmic):
status: Fix Committed → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.